Using Oracle Data Redaction with the Continuous Compliance Engine (KBA10761)

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies

Date	Release
Jan 25, 2024	19.0.0.0
Dec 20, 2023 \| Jan 10, 2024	18.0.0.0 \| 18.0.0.1
Nov 21, 2023	17.0.0.0
Oct 18, 2023	16.0.0.0
Sep 21, 2023	15.0.0.0
Aug 24, 2023	14.0.0.0
Jul 24, 2023	13.0.0.0
Jun 21, 2023	12.0.0.0
May 25, 2023	11.0.0.0
Apr 13, 2023	10.0.0.0 \| 10.0.0.1
Mar 13, 2023 \| Mar 20, 2023	9.0.0.0 \| 9.0.0.1
Feb 13, 2023	8.0.0.0
Jan 12, 2023	7.0.0.0
Releases Prior to 2023
Major Release	All Sub Releases
6.0	6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0, 6.0.2.1, 6.0.3.0, 6.0.3.1, 6.0.4.0, 6.0.4.1, 6.0.4.2, 6.0.5.0, 6.0.6.0, 6.0.6.1, 6.0.7.0, 6.0.8.0, 6.0.8.1, 6.0.9.0, 6.0.10.0, 6.0.10.1, 6.0.11.0, 6.0.12.0, 6.0.12.1, 6.0.13.0, 6.0.13.1, 6.0.14.0, 6.0.15.0, 6.0.16.0, 6.0.17.0, 6.0.17.1, 6.0.17.2
5.3	5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0, 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0
5.2	5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1	5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0	5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1, 5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

Using Oracle Data Redaction with the Continuous Compliance Engine

This article provides informaiton on the impact of the Oracle Data Redaction feature on Continuous Compliance Engine Masking Jobs.

Overview of the Oracle Data Redaction feature

Oracle Data Redaction is an Oracle feature provided in the DBMS_REDACT package which can be used to redact data before transmitting it to users or applications.

For example, applying the following policy will replace the first 5 digits of the SSN column with the letter X:

BEGIN
   DBMS_REDACT.ADD_POLICY(
     object_schema        => 'hr',
     object_name          => 'employee',
     column_name          => 'employee_ssn',
     policy_name          => 'mask_employee_ssns',
     function_type        => DBMS_REDACT.PARTIAL,
     function_parameters  => 'VVVFVVFVVVV,VVV-VV-VVVV,X,1,5',
     expression           => '1=1');
END;

A user with SELECT permissions may see redacted data when querying the employee table:

employee_id	employee_ssn
1	XXX-XX-1567
2	XXX-XX-8195

Users who also have the EXEMPT REDACTION POLICY privilege, including as the sys user, will see the original unredacted data:

employee_id	employee_ssn
1	613-00-1567
2	476-00-8195

This feature was introduced in Oracle Database 12c, and is described in Oracle's Advanced Security Guide and DBMS_REDACT documentation.

Impact of Oracle Data Redaction on Profiling jobs

Database users used as part of Profiling jobs should be granted the EXEMPT REDACTION POLICY privilege or be excluded from redaction as part of the filter expression.

If the database user is not exempt from redaction and the Oracle Data Redaction feature is in use, Profiling jobs may be impacted in the following ways:

Profiling jobs that use Type Expressions, including the Standard Profile Set, may fail to correctly classify redacted data.
Profiling jobs that use the Automated Sensitive Data Discovery (ASDD) Profile Set may fail to correctly classify redacted data.

Profiling jobs that use Legacy Profile Sets will classify columns using the column names instead of row data and will be unaffected.

Impact of Oracle Data Redaction on Masking Jobs

Database users used as part of Masking jobs should be granted the EXEMPT REDACTION POLICY privilege or be excluded from redaction as part of the filter expression.

If the database user is not exempt from redaction, and the Oracle Data Redaction feature is in use, Masking jobs may be affected in the following ways:

If the Data Redaction policy creates identical data for two inputs (masking "Ken" and "Karen" as "K****"), a Masking Algorithm may mask both values to the same output. This will create more duplicate values than expected and may violate uniqueness constraints.
If the Data Redaction policy randomizes data (such as using the DBMS_REDACT.RANDOM redaction function), a Masking Algorithm may unexpectedly create different masked output each time it is run.
If the Data Redaction policy changes the way data is presented (masking "12345" as "12***"), some Masking Algorithms may attempt to write unexpected characters back to the database, resulting in data type violations or unexpected results when using the masked data.

Impact of Oracle Data Redaction on Masked Databases

Oracle Data Redaction policies are not modified by the Continuous Compliance Engine and will still be present on databases after a Masking Job is completed. Any data returned by these policies will be based on the data modified by the Masking Job, instead of the original unmasked values.

Once sensitive data has been masked by a Masking Job, Data Redaction policies which affect these columns may no longer be required. These rules can be removed, depending on your business requirements for the masked database.

In many cases, it will be desirable to keep these Data Redaction policies in place, so that application and database behavior is consistent between the original and masked copies of the database.

KBA